tlsx detects valid root certificates from Sectigo as untrusted

[n-gbr]

tlsx version: v1.2.2

Current Behavior:

When scanning a domain using Nuclei’s ssl/untrusted-root-certificate.yaml template, tlsx is used internally to determine whether the root certificate is trusted.

tlsx considers a CA untrusted, if it is:

• a CA certificate
• self-signed
• not present in assets/root-certs.pem

The according logic is implemented here:

tlsx/pkg/tlsx/clients/clients.go

Lines 454 to 462 in c68801a

	// IsUntrustedCA returns true if the certificate is a self-signed CA
	func IsUntrustedCA(certs []*x509.Certificate) bool {
	for _, c := range certs {
	if c != nil && c.IsCA && IsSelfSigned(c.AuthorityKeyId, c.SubjectKeyId, c.DNSNames) && !assets.IsRootCert(c) {
	return true
	}
	}
	return false
	}

Problem

Several valid Sectigo root certificates are not included in assets/root-certs.pem and are therefore treated as "untrusted". This leads to Nuclei returning false positives for legitimate, wide used certificates.

Expected Behavior:

Valid root certificates (including Sectigo) should be recognized as trusted (and included in assets/root-certs.pem).

Steps To Reproduce:

1. Run nuclei -t ssl/untrusted-root-certificate.yaml -u www.example.com:443 --debug
2. Use a domain whose certificate chain is rooted in Sectigo
3. Check results to see that the template reports an untrusted root certificate

[dogancanbakir]

Thanks for letting us know! This workflow has been failing for some time. I'm investigating the issue, which will be resolved once the workflow starts working again: https://github.com/projectdiscovery/tlsx/actions/workflows/update-rootca.yml

[n-gbr]

Hi, just a quick follow-up on this issue.
I saw that the fix has already been implemented and merged into dev - really appreciate your work, thanks! I was wondering if there are any updates on when it might be merged into main and included in a release.